Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11268 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Incident and Change Management in two separate SW tools?
Answer:
Generally, I would suggest to keep all processes in one tool i.e. that you manage all processes with single SW solution. Reason for that is that you will have all information in one place and many information will be transferred automatically between process activities (e.g. you enter only once information in Incident Management and them when you open a Problem ticket or Change request - same data will be transferred). If you don't have that (you asked for risks) - then there is a chance that some information will be lost (e.g. asset information which you need for Incident management as well as Change Management). -
Estimating the price for risk assessment
Answer:
When acting as a consultant, you normally charge per hour or per day - for risk assessment jobs it is usually per day. To calculate the amount of time you'll need for your job, you have to know the following:
- Are you going to perform the interviews with all the department heads, or are they going to fill out the risk assessment sheets themselves
- Are you going to participate in determining the security controls, or will the client do this on their own
- Which other documents should you write
By the way, as part of our ISO 27001 Consultant Toolkit https://advisera.com/27001academy/consultants/ you'll find a document called "Division of tasks & time plan" which describes all the tasks in more detail, together with the expected timing for each.
In my book Secure & Simple you'll find a detailed explanation of the risk assessment process: https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
This article may also help you: 3 phases of delivering an ISO 27001/ISO 22301 consulting job https://advisera.com/27001academy/blog/2015/09/28/3-phases-of-delivering-an-iso-27001iso-22301-consulting-job/ -
Business Continuity or Disaster Recovery?
Answer:
I am sorry but I am not not sure what do you mean, but if your question is related to ISO 27001:2013, to be compliant with the standard, you can implement only a Disaster Recovery Plan (DRP) as a minimum (which is related to the IT infrastructure), keeping in mind that the DRP should be based on the results of the risk assessment.
If your question is related to ISO 22301, you need to implement the Business Continuity and the Disaster Recovery.
For more information about the Disaster Recovery and the Business Continuity, please read this article “Disaster recovery vs Business continuity” : https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/
Finally, our online course can be also interesting for you because we give more information about the Business Continuity “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Certification that better suites a Health Maintenance Organization
Answer:
From the point of view of information security, the best certification could be ISO 27001, because this standard is the most important in the world, and is specifically developed for the protection of the information.
You can also use ISO 27001 together with ISO 27799, which is another standard specifically developed for the protection of personal health information.
This article can be interesting for you “How ISO 27001 and ISO 27799 complement each other in health organizations” : https://advisera.com/27001academy/blog/2016/06/13/how-iso-27001-and-iso-27799-complement-each-other-in-health-organizations/
And our online course can be also interesting for you because we give more information about ISO 27001 “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
QMS and CMMI in software company
Answer:
QMS or ISO 9001 has the same requirements for every industry and it is applicable to any industry as well. QMS for software companies deffer from QMS in other industries only in sense that software companies has different processes than other industries and those processes must be aligned with ISO 9001.
Capability Maturity Model Integration (CMMI) is a process improvement training and appraisal program and service administered and marketed by Carnegie Mellon University (CMU) and required by many DoD and U.S. Government contracts, especially in software development. CMU claims CMMI can be used to guide process improvement across a project, division, or an entire organization. CMMI defines the following maturity levels for processes: Initial, Managed and Defined. Currently supported is CMMI Version 1.3. CMMI is registered in the U.S. Patent and Trademark Office by CMU.
CMMI currently addresses three areas of interest:
- Product and service development — CMMI for Development (CMMI-DEV),
- Service establishment, management, — CMMI for Services (CMMI-SVC), and
- Product and service acquisition — CMMI for Acquisition (CMMI-ACQ).
CMMI was developed by a group of experts from industry, government, and the Software Engineering Institute (SEI) at CMU. CMMI models provide guidance for developing or improving processes that meet the business goals of an organization. A CMMI model may also be used as a framework for appraising the process maturity of the organization. -
EFQM and ISO 9001
Answer:
EFQM (the European Foundation for Quality Management) is a not-for-profit membership foundation in Brussels, established in 1989 to increase the competitiveness of the European economy. The initial impetus for forming EFQM was a response to the work of W. Edwards Deming and the development of the concepts of Total Quality Management.
The EFQM Excellence Model is a non-prescriptive business excellence framework for organizational management systems, promoted by EFQM (formerly known as the European Foundation for Quality Management) and designed for helping organizations in their drive towards being more competitive. The Model is regularly reviewed and refined: the last update was published in 2013.
Regardless of sector, size, structure or maturity, organizations need to establish appropriate management systems in order to be successful. The EFQM Excellence Model is a practical tool to help organizations do this by measuring where they are on the path to excellence; helping them understand t he gaps; and then stimulating solutions.
ISO 9001 can be considered as a tool for achieving EFQM in a same way it is a part of Total Quality Management
For more information, see: List of Quality Management Standards and Frameworks https://advisera.com/9001academy/knowledgebase/list-of-quality-management-standards-and-frameworks/ -
Indicators and ISO 27001
Answer:
First of all, ISO 27001:2013 does not require to use indicators, only require to set objectives, and how to measure them, including who and when will report and evaluate the results. This article can help you “How to perform monitoring and measurement in ISO 27001” : https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
By the way, it is important to differentiate between the measurement and the risk assessment, because they are things completely different. This article can give you more information about the risk assessment "ISO 27001 risk assessment & treatment - 6 basic steps" : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
Regarding the assessment to obtain a diagnostic, I am not sure if I have understood your question, but habitually the internal audit is performed to evaluate the ISMS implemented, and you can also use it as diagnostic. If you want to perform an internal audit, this article can be interesting for you “How to make an Internal Audit checklist for ISO 27001 / ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
Finally, our online course can be also interesting for you because we give more information about the measurement of an ISMS “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/ -
Is the risks evaluation necessary
Answer:
The standard requires organization to determine risks and opportunities that need to be addressed to and to keep records of such risks and opportunities. How will organization know whether the risk should be addressed or not without evaluation? The evaluation doesn't have to be structured neither any methodology is required but the organization simply must decide what risks should be addressed and this is practically evaluation.
For more information, see:
- Risks and opportunities in ISO 14001:2015 – What they are and why they are important https://advisera.com/14001academy/blog/2016/03/07/risks-and-opportunities-in-iso-140012015-what-they-are-and-why-they-are-important/ -
Alignment of ISO 9001:2015 and ISO/TS 16949
Answer:
ISO 9001:2015 no longer has the same structure as 2008 and 2000 revisions of ISO 9001. Unfortunately, ISO /TS 169494:2009 is based on ISO 9001:2008 so compliance with both standard will require changes in clause numbers for practically the same requirements. The rest of the changes made in ISO 9001:2015 compared to the previous version of the standard do not affect significantly ISO/TS 16949 since they are more additions to the existing system. We are now waiting for new version of the TS 16949 and it will probably keep the same numbering as the old one so it will probably make integration with ISO 9001 more difficult than it is now but we expect less dramatic changes compared to ISO 9001.
For more information, see:
- ISO 9001 vs ISO/TS 16949 https://advisera.com/9001academy/blog/2014/10/01/iso-9001-vs-isots-16949/
- 5 Main Changes Expected in ISO 9001:2015 from the 2014 Draft International Standard (DIS) http:/ /advisera.com/9001academy/knowledgebase/5-main-changes-expected-in-iso-90012015-from-the-2014-draft-international-standard-dis/ -
Examples of different types of assets
Answer: Sure, here's an article that suggests the assets for different categories: How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
This article may also help you: ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Finally, this free online course explains the whole process of asset identification and risk assessment: ISO 27001 Foundation Course https://advisera.com/training/iso-27001-foundations-course/